[x500standard] Re: New draft on password policy
- From: "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>
- Date: Wed, 23 Sep 2009 16:17:47 -0400
I agree, but revealing the salt or not revealing the salt is not as
security relevant.
> -----Original Message-----
> From: x500standard-bounce@xxxxxxxxxxxxx
> [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Wilson
> Sent: Wednesday, September 23, 2009 4:16 PM
> To: x500standard@xxxxxxxxxxxxx
> Subject: [x500standard] Re: New draft on password policy
>
> On Wed, 2009-09-23 at 16:06 -0400, Santosh Chokhani wrote:
> > I think I am digressing, but when you encrypt, you do not
> need the key
> > necessarily since both the data and key can be password
> (the way Unix
> > used to do, and may be still does).
> >
> That is OK if the server has the plain text password, as the
> server can get the salt, and then hash the password it has
> with the salt found, to see if the result is the same as was
> passed. However, this has the disadvantages I outlined.
>
> -----
> www.x500standard.com: The central source for information on
> the X.500 Directory Standard.
>
>
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
